ืคึผืจืึธื”ืึธืกื˜ืขืจ > ื‘ืœืึธื’ > ืึทื“ืžื™ื ื™ืกื˜ืจืึทืฆื™ืข > ืคึผืจืึธืžืขื˜ื”ืขื•ืก: ื”ื˜ื˜ืคึผ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื“ื•ืจืš ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ

ืคึผืจืึธืžืขื˜ื”ืขื•ืก: ื”ื˜ื˜ืคึผ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื“ื•ืจืš ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ

ื ื’ื•ื˜ืŸ ื™ืขื“ืขืจ. ืื™ืŸ ืžืื™ OTUS ืœืึธื ื˜ืฉื™ื– ื•ื•ืึทืจืฉื˜ืึทื˜ ืื•ื™ืฃ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ืื•ืŸ ืœืึธื’ื™ื ื’, ื‘ื™ื™ื“ืข ื™ื ืคืจืึทืกื˜ืจืึทืงื˜ืฉืขืจ ืื•ืŸ ืึทืคึผืœืึทืงื™ื™ืฉืึทื ื– ื ื™ืฆืŸ Zabbix, Prometheus, Grafana ืื•ืŸ ELK. ืื™ืŸ ื“ืขื ืึทื›ื˜ื•ื ื’, ืžื™ืจ ื˜ืจืึทื“ื™ืฉืึทื ืึทืœื™ ื˜ื™ื™ืœืŸ ื ื•ืฆื™ืง ืžืึทื˜ืขืจื™ืึทืœ ืื•ื™ืฃ ื“ืขืจ ื˜ืขืžืข.

ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ืคึฟืึทืจ ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืึทืœืึทื•ื– ืื™ืจ ืฆื• ื™ื ืกื˜ืจื•ืžืขื ื˜ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ืคื•ืŸ ืคื•ื ื“ืจื•ื™ืกื ื“ื™ืง ื‘ืึทื“ื™ื ื•ื ื’ืก ื“ื•ืจืš ื”ื˜ื˜ืคึผ, ื”ื˜ื˜ืคึผืก, ื“ื ืก, ื˜ืงืคึผ, ื™ืงืžืคึผ. ืื™ืŸ ื“ืขื ืึทืจื˜ื™ืงืœ, ืื™ืš ื•ื•ืขื˜ ื•ื•ื™ื™ึทื–ืŸ ืื™ืจ ื•ื•ื™ ืฆื• ืฉื˜ืขืœืŸ ืึทืจื•ื™ืฃ ื”ื˜ื˜ืคึผ / ื”ื˜ื˜ืคึผืก ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื ื™ืฆืŸ ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ. ืžื™ืจ ื•ื•ืขืœืŸ ืงืึทื˜ืขืจ ื“ื™ ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ืื™ืŸ Kubernetes.

ื“ื™ ืกื•ื•ื™ื•ื•ืข

ืžื™ืจ ื•ื•ืขืœืŸ ื“ืึทืจืคึฟืŸ ื“ื™ ืคืืœื’ืขื ื“ืข:

  • Kubernetes
  • ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืึธืคึผืขืจืึทื˜ืึธืจ

ืขืงืกืคึผืึธืจื˜ืขืจ ื‘ืœืึทืงืงื‘ืึธืงืก ืงืึทื ืคื™ื’ื™ืขืจื™ื™ืฉืึทืŸ

ืงืึทื ืคื™ื’ื™ืขืจ ื‘ืœืึทืงืงื‘ืึธืงืก ื“ื•ืจืš ConfigMap ืคึฟืึทืจ ืกืขื˜ื˜ื™ื ื’ืก http ื•ื•ืขื‘ ื‘ืึทื“ื™ื ื•ื ื’ืก ืžืึธื ื™ื˜ืึธืจื™ื ื’ ืžืึธื“ื•ืœืข.

apiVersion: v1
kind: ConfigMap
metadata:
  name: prometheus-blackbox-exporter
  labels:
    app: prometheus-blackbox-exporter
data:
  blackbox.yaml: |
    modules:
      http_2xx:
        http:
          no_follow_redirects: false
          preferred_ip_protocol: ip4
          valid_http_versions:
          - HTTP/1.1
          - HTTP/2
          valid_status_codes: []
        prober: http
        timeout: 5s

ืžืึธื“ื•ืœืข http_2xx ื’ืขื•ื•ื™ื™ื ื˜ ืฆื• ืงืึธื ื˜ืจืึธืœื™ืจืŸ ืึทื– ื“ื™ ื•ื•ืขื‘ ืกืขืจื•ื•ื™ืก ืงืขืจื˜ ืึท HTTP 2xx ืกื˜ืึทื˜ื•ืก ืงืึธื“. ื“ื™ ืงืึทื ืคื™ื’ื™ืขืจื™ื™ืฉืึทืŸ ืคื•ืŸ ื“ื™ ื‘ืœืึทืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ืื™ื– ื“ื™ืกืงืจื™ื™ื‘ื“ ืื™ืŸ ืžืขืจ ื“ืขื˜ืึทืœ ืื™ืŸ ื“ืึทืงื™ื•ืžืขื ื˜ื™ื™ืฉืึทืŸ.

ื“ื™ืคึผืœื™ื™ื™ื ื’ ืึท ื‘ืœืึทืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ืฆื• ืึท ืงื•ื‘ืขืจื ืขื˜ืขืก ืงื ื•ื™ืœ

ื‘ืึทืฉืจื™ื™ึทื‘ืŸ Deployment ะธ Service ืคึฟืึทืจ ื“ื™ืคึผืœื•ื™ืžืึทื ื˜ ืื™ืŸ Kubernetes.

---
kind: Service
apiVersion: v1
metadata:
  name: prometheus-blackbox-exporter
  labels:
    app: prometheus-blackbox-exporter
spec:
  type: ClusterIP
  ports:
    - name: http
      port: 9115
      protocol: TCP
  selector:
    app: prometheus-blackbox-exporter

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: prometheus-blackbox-exporter
  labels:
    app: prometheus-blackbox-exporter
spec:
  replicas: 1
  selector:
    matchLabels:
      app: prometheus-blackbox-exporter
  template:
    metadata:
      labels:
        app: prometheus-blackbox-exporter
    spec:
      restartPolicy: Always
      containers:
        - name: blackbox-exporter
          image: "prom/blackbox-exporter:v0.15.1"
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1000
          args:
            - "--config.file=/config/blackbox.yaml"
          resources:
            {}
          ports:
            - containerPort: 9115
              name: http
          livenessProbe:
            httpGet:
              path: /health
              port: http
          readinessProbe:
            httpGet:
              path: /health
              port: http
          volumeMounts:
            - mountPath: /config
              name: config
        - name: configmap-reload
          image: "jimmidyson/configmap-reload:v0.2.2"
          imagePullPolicy: "IfNotPresent"
          securityContext:
            runAsNonRoot: true
            runAsUser: 65534
          args:
            - --volume-dir=/etc/config
            - --webhook-url=http://localhost:9115/-/reload
          resources:
            {}
          volumeMounts:
            - mountPath: /etc/config
              name: config
              readOnly: true
      volumes:
        - name: config
          configMap:
            name: prometheus-blackbox-exporter

ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ืงืขื ืขืŸ ื–ื™ื™ืŸ ื“ื™ืคึผืœื•ื™ื“ ืžื™ื˜ ื“ื™ ืคืืœื’ืขื ื“ืข ื‘ืึทืคึฟืขืœ. ื ืึทืžืขืกืคึผืึทืกืข monitoring ืจืขืคืขืจืก ืฆื• ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืึธืคึผืขืจืึทื˜ืึธืจ.

kubectl --namespace=monitoring apply -f blackbox-exporter.yaml

ืžืึทื›ืŸ ื–ื™ื›ืขืจ ืึทื– ืึทืœืข ืกืขืจื•ื•ื™ืกืขืก ืœื•ื™ืคืŸ ืžื™ื˜ ื“ื™ ืคืืœื’ืขื ื“ืข ื‘ืึทืคึฟืขืœ:

kubectl --namespace=monitoring get all --selector=app=prometheus-blackbox-exporter

ื‘ืœืึทืงืงื‘ืึธืงืก ื˜ืฉืขืง

ืื™ืจ ืงืขื ื˜ ืฆื•ื˜ืจื™ื˜ ืฆื• ื“ื™ ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ื•ื•ืขื‘ ืฆื•ื‘ื™ื ื“ ื ื™ืฆืŸ port-forward:

kubectl --namespace=monitoring port-forward svc/prometheus-blackbox-exporter 9115:9115

ืคืึทืจื‘ื™ื ื“ืŸ ืฆื• ื“ื™ ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ื•ื•ืขื‘ ืฆื•ื‘ื™ื ื“ ื“ื•ืจืš ืึท ื•ื•ืขื‘ ื‘ืœืขื˜ืขืจืขืจ ืœืึธืงืึทืœื”ืึธืกื˜: ืงืกื ื•ืžืงืก.

ืคึผืจืึธืžืขื˜ื”ืขื•ืก: ื”ื˜ื˜ืคึผ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื“ื•ืจืš ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ

ืื•ื™ื‘ ืื™ืจ ื’ื™ื™ืŸ ืฆื• ื“ื™ ืึทื“ืจืขืก http://localhost:9115/probe?module=http_2xx&target=https://www.google.com, ืื™ืจ ื•ื•ืขื˜ ื–ืขืŸ ื“ื™ ืจืขื–ื•ืœื˜ืึทื˜ ืคื•ืŸ ืงืึธื ื˜ืจืึธืœื™ืจื•ื ื’ ื“ื™ ืกืคึผืขืกืึทืคื™ื™ื“ URL (https://www.google.com).

ืคึผืจืึธืžืขื˜ื”ืขื•ืก: ื”ื˜ื˜ืคึผ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื“ื•ืจืš ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ

ืžืขื˜ืจื™ืง ื•ื•ืขืจื˜ probe_success ื’ืœื™ื™ึทืš ืฆื• 1 ืžื™ื˜ืœ ืžืฆืœื™ื— ื˜ืฉืขืง. ื ื•ื•ืขืจื˜ ืคื•ืŸ 0 ื™ื ื“ื™ืงื™ื™ืฅ ืึท ื˜ืขื•ืช.

ื‘ืึทืฉื˜ืขื˜ื™ืงืŸ ืคึผืจืึธืžืขื˜ื”ืขื•ืก

ื ืึธืš ื“ื™ืคึผืœื•ื™ื™ื ื’ ื“ื™ ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ, ืžื™ืจ ืงืึทื ืคื™ื’ื™ืขืจ ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืื™ืŸ prometheus-additional.yaml.

- job_name: 'kube-api-blackbox'
  scrape_interval: 1w
  metrics_path: /probe
  params:
    module: [http_2xx]
  static_configs:
   - targets:
      - https://www.google.com
      - http://www.example.com
      - https://prometheus.io
  relabel_configs:
   - source_labels: [__address__]
     target_label: __param_target
   - source_labels: [__param_target]
     target_label: instance
   - target_label: __address__
     replacement: prometheus-blackbox-exporter:9115 # The blackbox exporter.

ืžื™ืจ ื“ื–ืฉืขื ืขืจื™ื™ื˜ Secretื ื™ืฆืŸ ื“ื™ ืคืืœื’ืขื ื“ืข ื‘ืึทืคึฟืขืœ.

PROMETHEUS_ADD_CONFIG=$(cat prometheus-additional.yaml | base64)
cat << EOF | kubectl --namespace=monitoring apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: additional-scrape-configs
type: Opaque
data:
  prometheus-additional.yaml: $PROMETHEUS_ADD_CONFIG
EOF

ืžื™ืจ ืึธื ื•ื•ื™ื™ึทื–ืŸ additional-scrape-configs ืคึฟืึทืจ ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืึธืคึผืขืจืึทื˜ืึธืจ ื ื™ืฆืŸ additionalScrapeConfigs.

kubectl --namespace=monitoring edit prometheuses k8s
...
spec:
  additionalScrapeConfigs:
    key: prometheus-additional.yaml
    name: additional-scrape-configs

ืžื™ืจ ื’ื™ื™ืŸ ืฆื• ื“ื™ ืคึผืจืึธืžืขื˜ื”ืขื•ืก ื•ื•ืขื‘ ืฆื•ื‘ื™ื ื“ ืื•ืŸ ืงืึธื ื˜ืจืึธืœื™ืจืŸ ื“ื™ ืžืขื˜ืจื™ืงืก ืื•ืŸ ื’ืึธื•ืœื–.

kubectl --namespace=monitoring port-forward svc/prometheus-k8s 9090:9090

ืคึผืจืึธืžืขื˜ื”ืขื•ืก: ื”ื˜ื˜ืคึผ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื“ื•ืจืš ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ

ืคึผืจืึธืžืขื˜ื”ืขื•ืก: ื”ื˜ื˜ืคึผ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื“ื•ืจืš ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ

ืžื™ืจ ื–ืขืŸ ื“ื™ ืžืขื˜ืจื™ืงืก ืื•ืŸ ืฆื™ืœืŸ ืคื•ืŸ ื‘ืœืึทืงืงื‘ืึธืงืก.

ืึทื“ื™ื ื’ ื›ึผืœืœื™ื ืคึฟืึทืจ ื ืึธื•ื˜ืึทืคืึทืงื™ื™ืฉืึทื ื– (ืคืœื™ื ืง)

ืฆื• ื‘ืึทืงื•ืžืขืŸ ื ืึธื•ื˜ืึทืคืึทืงื™ื™ืฉืึทื ื– ืคื•ืŸ ื“ื™ ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ, ืžื™ืจ ื•ื•ืขืœืŸ ืœื™ื™ื’ืŸ ื›ึผืœืœื™ื ืฆื• ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืึธืคึผืขืจืึทื˜ืึธืจ.

kubectl --namespace=monitoring edit prometheusrules prometheus-k8s-rules
...
  - name: blackbox-exporter
    rules:
    - alert: ProbeFailed
      expr: probe_success == 0
      for: 5m
      labels:
        severity: error
      annotations:
        summary: "Probe failed (instance {{ $labels.instance }})"
        description: "Probe failedn  VALUE = {{ $value }}n  LABELS: {{ $labels }}"
    - alert: SlowProbe
      expr: avg_over_time(probe_duration_seconds[1m]) > 1
      for: 5m
      labels:
        severity: warning
      annotations:
        summary: "Slow probe (instance {{ $labels.instance }})"
        description: "Blackbox probe took more than 1s to completen  VALUE = {{ $value }}n  LABELS: {{ $labels }}"
    - alert: HttpStatusCode
      expr: probe_http_status_code <= 199 OR probe_http_status_code >= 400
      for: 5m
      labels:
        severity: error
      annotations:
        summary: "HTTP Status Code (instance {{ $labels.instance }})"
        description: "HTTP status code is not 200-399n  VALUE = {{ $value }}n  LABELS: {{ $labels }}"
    - alert: SslCertificateWillExpireSoon
      expr: probe_ssl_earliest_cert_expiry - time() < 86400 * 30
      for: 5m
      labels:
        severity: warning
      annotations:
        summary: "SSL certificate will expire soon (instance {{ $labels.instance }})"
        description: "SSL certificate expires in 30 daysn  VALUE = {{ $value }}n  LABELS: {{ $labels }}"
    - alert: SslCertificateHasExpired
      expr: probe_ssl_earliest_cert_expiry - time()  <= 0
      for: 5m
      labels:
        severity: error
      annotations:
        summary: "SSL certificate has expired (instance {{ $labels.instance }})"
        description: "SSL certificate has expired alreadyn  VALUE = {{ $value }}n  LABELS: {{ $labels }}"
    - alert: HttpSlowRequests
      expr: avg_over_time(probe_http_duration_seconds[1m]) > 1
      for: 5m
      labels:
        severity: warning
      annotations:
        summary: "HTTP slow requests (instance {{ $labels.instance }})"
        description: "HTTP request took more than 1sn  VALUE = {{ $value }}n  LABELS: {{ $labels }}"
    - alert: SlowPing
      expr: avg_over_time(probe_icmp_duration_seconds[1m]) > 1
      for: 5m
      labels:
        severity: warning
      annotations:
        summary: "Slow ping (instance {{ $labels.instance }})"
        description: "Blackbox ping took more than 1sn  VALUE = {{ $value }}n  LABELS: {{ $labels }}"

ืื™ืŸ ื“ื™ ืคึผืจืึธืžืขื˜ื”ืขื•ืก ื•ื•ืขื‘ ืฆื•ื‘ื™ื ื“, ื’ื™ื™ืŸ ืฆื• ืกื˜ืึทื˜ื•ืก => ื›ึผืœืœื™ื ืื•ืŸ ื’ืขืคึฟื™ื ืขืŸ ื“ื™ ืคืœื™ื ืง ื›ึผืœืœื™ื ืคึฟืึทืจ ื‘ืœืึทืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ.

ืคึผืจืึธืžืขื˜ื”ืขื•ืก: ื”ื˜ื˜ืคึผ ืžืึธื ื™ื˜ืึธืจื™ื ื’ ื“ื•ืจืš ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ

ืงืึทื ืคื™ื’ื™ืขืจื™ื ื’ ืงื•ื‘ืขืจื ืขื˜ืขืก ืึทืคึผื™ ืกืขืจื•ื•ื™ืจืขืจ ืกืกืœ ืกืขืจื˜ื™ืคื™ืงืึทื˜ ืขืงืกืคึผื™ืจืึทื˜ื™ืึธืŸ ื ืึธื•ื˜ืึทืคืึทืงื™ื™ืฉืึทื ื–

ืœืึธืžื™ืจ ืงืึทื ืคื™ื’ื™ืขืจ Kubernetes API Server SSL ื‘ืึทื•ื•ื™ื™ึทื–ืŸ ืขืงืกืคึผืขืจื™ื™ืฉืึทืŸ ืžืึธื ื™ื˜ืึธืจื™ื ื’. ืขืก ื•ื•ืขื˜ ืฉื™ืงืŸ ื ืึธื•ื˜ืึทืคืึทืงื™ื™ืฉืึทื ื– ืึทืžืึธืœ ืึท ื•ื•ืึธืš.

ืึทื“ื™ื ื’ ื“ื™ ื‘ืœืึทืงืงื‘ืึธืงืก ืขืงืกืคึผืึธืจื˜ืขืจ ืžืึธื“ื•ืœืข ืคึฟืึทืจ Kubernetes API ืกืขืจื•ื•ื™ืจืขืจ ืึธื˜ืขื ื˜ืึทืงื™ื™ืฉืึทืŸ.

kubectl --namespace=monitoring edit configmap prometheus-blackbox-exporter
...
      kube-api:
        http:
          method: GET
          no_follow_redirects: false
          preferred_ip_protocol: ip4
          tls_config:
            insecure_skip_verify: false
            ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
          bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
          valid_http_versions:
          - HTTP/1.1
          - HTTP/2
          valid_status_codes: []
        prober: http
        timeout: 5s

ืึทื“ื™ื ื’ ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืกืงืจืึทืคึผ ืงืึทื ืคื™ื’ื™ืขืจื™ื™ืฉืึทืŸ

- job_name: 'kube-api-blackbox'
  metrics_path: /probe
  params:
    module: [kube-api]
  static_configs:
   - targets:
      - https://kubernetes.default.svc/api
  relabel_configs:
   - source_labels: [__address__]
     target_label: __param_target
   - source_labels: [__param_target]
     target_label: instance
   - target_label: __address__
     replacement: prometheus-blackbox-exporter:9115 # The blackbox exporter.

ื ื™ืฆืŸ ืคึผืจืึธืžืขื˜ื”ืขื•ืก ืกื•ื“

PROMETHEUS_ADD_CONFIG=$(cat prometheus-additional.yaml | base64)
cat << EOF | kubectl --namespace=monitoring apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: additional-scrape-configs
type: Opaque
data:
  prometheus-additional.yaml: $PROMETHEUS_ADD_CONFIG
EOF

ืึทื“ื™ื ื’ ืคืœื™ื ืง ื›ึผืœืœื™ื

kubectl --namespace=monitoring edit prometheusrules prometheus-k8s-rules
...
  - name: k8s-api-server-cert-expiry
    rules:
    - alert: K8sAPIServerSSLCertExpiringAfterThreeMonths
      expr: probe_ssl_earliest_cert_expiry{job="kube-api-blackbox"} - time() < 86400 * 90 
      for: 1w
      labels:
        severity: warning
      annotations:
        summary: "Kubernetes API Server SSL certificate will expire after three months (instance {{ $labels.instance }})"
        description: "Kubernetes API Server SSL certificate expires in 90 daysn  VALUE = {{ $value }}n  LABELS: {{ $labels }}"

ื ื•ืฆื™ืง ืœื™ื ืงืก

ืžืึธื ื™ื˜ืึธืจื™ื ื’ ืื•ืŸ ืœืึธื’ื™ื ื’ ืื™ืŸ ื“ืึธืงืงืขืจ

ืžืงื•ืจ: www.habr.com